MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f150c064aa08e8d327c99a2edf0811a9bb6e06398d0d846b69a0c321ff6ab259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f150c064aa08e8d327c99a2edf0811a9bb6e06398d0d846b69a0c321ff6ab259
SHA3-384 hash: 86ff405216ff94e4cd142d4e023f85ebda48e0bf9292d816d7951f771f3437a9ed3a861165457db268d7b6e7f504b84f
SHA1 hash: a5b3ab13138039b198a3454d99fd9e43a5d10f3b
MD5 hash: 83e6e738876fde792abae146193d4963
humanhash: nineteen-double-maryland-golf
File name:SecuriteInfo.com.W32.AIDetect.malware2.24812.11752
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:287'744 bytes
First seen:2021-09-03 01:47:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b7ebe503aba8ff6fce4b2b89581116dd (4 x ArkeiStealer, 3 x Stop, 2 x RedLineStealer)
ssdeep 6144:UI7zL718A97H9E5SGCeGDJkaPtVvMG+8K:UI7zHSo7ds1Cv9tm
Threatray 1'881 similar samples on MalwareBazaar
TLSH T14554E03177A1C433D5E2E9749874CEA02B3FB8A62964828B76753F1B2D712C1963235F
dhash icon 4839b2b0e8c38890 (105 x RaccoonStealer, 38 x Smoke Loader, 33 x RedLineStealer)
Reporter SecuriteInfoCom
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.W32.AIDetect.malware2.24812.11752
Verdict:
Malicious activity
Analysis date:
2021-09-03 01:49:59 UTC
Tags:
trojan rat redline stealer
Link:
https://app.any.run/tasks/83d7aa8d-b681-46a1-bb74-6fa8ea4dcb86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/184980/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.24812.11752.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
DNS request
Connection attempt
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% directory
Deleting a recently created file
Reading critical registry keys
Creating a file
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/12d230dc-e82f-4dce-9779-1da6845331aa
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/844461
Signature
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f150c064aa08e8d327c99a2edf0811a9bb6e06398d0d846b69a0c321ff6ab259/
Threat name:
Win32.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 01:13:48 UTC
AV detection:
17 of 43 (39.53%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6fimazfkbdungj6jtixn6carvg5w4brzrugyi23judbsd73kwjmq._file
Verdict:
malicious
Similar samples:
069834c0109d17508121653ab6d19d1a00bd6e0fb27e2248b0da94dffd517cb4
RedLineStealer
09d58d081dd9364e99857ac273d52a17a0473cc64e64d0e15b2b9b2f67ef2d49
RedLineStealer
5d7e056cab62d45da796272f782b92fdba8c38827e678fa1273c0ccb71aa6d83
RedLineStealer
696c4fe1eb993a58f7380b308157f8a779ec36bfce17e1488299021074a2b652
RedLineStealer
71a94908a7d04d051d260e53490ec83575d586d80cecf0ab25cce443ad70dcf9
RedLineStealer
cc1b3e18520c1f5ae7040cbfd2d74c9d3e5c3c47aa01d44d1037fffcbff96564
RedLineStealer
f520df5ebe90fab4ac5cb0be9b39faa351a9ff582db0e4c5c69ca52b719d32d8
RedLineStealer
+ 1'871 additional samples on MalwareBazaar
Result
Malware family:
redline
Create hunting rule
Score:
  10/10
Tags:
family:redline discovery infostealer spyware stealer
Link:
https://tria.ge/reports/210903-b75ywsfadq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Reads user/profile data of web browsers
RedLine
RedLine Payload
Malware Config
C2 Extraction:
185.215.113.29:8678
Unpacked files
SH256 hash:
9535c968deac76b07b81338316691050af68de604c5ac9b8ce88fb13af79aa22
MD5 hash:
b726df75f1ef2ca4e8e4c201cc323464
SHA1 hash:
afbc5f2384bad1cf44d88b3e6a0e2e08683ddfcf
Link:
https://www.unpac.me/results/1a87cedc-41ed-416e-aef4-0860844af366/
SH256 hash:
49024e791cf17a4255a3b5a33bfede6ed8f9ab28c34d7b10ce7c3676498fa969
MD5 hash:
0d79cf0987744082d998343280d9b2d5
SHA1 hash:
6810c7f1f15bdd644e0c0ffd0e341c71dc2deeeb
Link:
https://www.unpac.me/results/1a87cedc-41ed-416e-aef4-0860844af366/
SH256 hash:
71834babc65f6ca37d984e3cd28656ccfdfc7947d65c92080c84df0dd261b3d0
MD5 hash:
930113d93ac139570d8cf41e39400215
SHA1 hash:
0152da485ccfb299b2f17bd3af7e5c733b1f294d
Link:
https://www.unpac.me/results/1a87cedc-41ed-416e-aef4-0860844af366/
SH256 hash:
f150c064aa08e8d327c99a2edf0811a9bb6e06398d0d846b69a0c321ff6ab259
MD5 hash:
83e6e738876fde792abae146193d4963
SHA1 hash:
a5b3ab13138039b198a3454d99fd9e43a5d10f3b
Link:
https://www.unpac.me/results/1a87cedc-41ed-416e-aef4-0860844af366/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f150c064aa08e8d327c99a2edf0811a9bb6e06398d0d846b69a0c321ff6ab259

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f150c064aa08e8d327c99a2edf0811a9bb6e06398d0d846b69a0c321ff6ab259

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1587234/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/184980/

Comments